Filezilla installer is suspicious, again

I’m seeing hits on this file as well from advanced security tools in an enterprise environment. This appears to be a bit more than just a few false hits on VirusTotal. The installation of filezilla_3.29.0_win64-setup_bundled.exe file with MD5 of 9f405c266c883305537c11246bdb1d42 shows signs of malicious activity in the form of IDS/IPS bypass techniques to copy and append .dat files behind the scenes. This activity can sometimes be a false positive, but this does not appear to be a false hit.The most suspicious part of the install we see is the spawning of an unsigned, unidentified process called tofufeti.exe which then spawns dozens of cmd.exe prompts to append these .dat files together after itself being put together by .dat file copy and appends.See attached screenshot for the process chain we see spawning off of filezilla_3.29.0_win64-setup_bundled.exe. Each cmd.exe process expands into another chain of cmd.exe and conhost.exe processes to perform cleanup of the

Original URL:

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: